RE: 802.1x RADIUS Deployment in Wireless LAN
From: Batkin, Seva (Seva_Batkin_at_canaccord.com)
Date: 11/25/03
- Previous message: jburzenski_at_americanhm.com: "P2P Services and IDS"
- Maybe in reply to: David J. Jackson: "802.1x RADIUS Deployment in Wireless LAN"
- Next in thread: shankarnarayan.d_at_netsol.co.in: "RE: 802.1x RADIUS Deployment in Wireless LAN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "David J. Jackson" <djackson@netdmz.com>, security-basics@securityfocus.com Date: Tue, 25 Nov 2003 14:32:33 -0800
Hi There,
I have deployed this scenario based on Cisco APs and MS IAS. We settled on
PEAP using MsCHAPv2 and without key management features. The reason for the
latter were driver support which at the time was non-existant, however with
the latest vendor drivers this solution should be viable as well.
The process was relatively straight forward, the most annoying things were
the little details such as
- getting certificates for the IAS server to use with PEAP, have to be
careful with server name, domain, etc. It has to match exactly
- OS issues - version of IAS that supports PEAP is exclusively for Windows
2003. The IAS included with 2000 does not support PEAP.
- RADIUS authentication fields from Cisco APs,it was mostly trial and error
(and some sniffing) to figure out what works for management and wireless
user authentication. Be careful however, the latest code (13.JA1) has
changed the NAS-Port-Type from Virtual to Wireless
In terms of deployment, once we had a test unit locked down and working
perfectly, it was just a matter of slightly modifying configs for each AP
(IP address, hostname, location) and deploying in bulk via CiscoWorks.
The advantage of the current solution is that it works (relatively)
seamlessly with Windows XP out of the box and requires a simple patch
deployment on Win2k clients to support PEAP and 802.1x authentication.
Becareful however, windows login is amazingly persistent, and once a user is
authenticated it is relatively hard to get windows to ask for the password
again (a possible security issue).
Management of this solution is quite easy, for each user you have to make
sure of two things
- dial-in is enabled (IAS is effectively RAS)
- user is part of the group which is allowed to use wireless
Below are some links which you may find useful
http://support.microsoft.com/?kbid=815485
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns314/c654/ccmigrati
on_09186a008009c8b3.pdf
http://www.microsoft.com/downloads/details.aspx?FamilyId=009D8425-CE2B-47A4-
ABEC-274845DC9E91&displaylang=en
There are also a number of other useful deployment guides on the net.
Feel free to contact me personally if you need a hand.
Thanx
Seva
-----Original Message-----
From: David J. Jackson [mailto:djackson@netdmz.com]
Sent: Monday, November 24, 2003 9:12 PM
To: security-basics@securityfocus.com
Subject: 802.1x RADIUS Deployment in Wireless LAN
Has anyone deployed RADIUS services in a WLAN environment and if so can you
give me (this list) some feedback as to your experience on the following:
- Design Difficulty?
- Ease of Installation?
- Software OS: Windows 2000, 2003, XP, Linux, Unix, etc.
- Ease of Deployment?
- Ease of Management?
- Dynamic or Static WEP Key Distribution?
I'm also looking for some more specific information on setting up RADIUS
authentication on the WLAN with cards that don't specifically say they
support 802.1x or RADIUS. If I'm using a RADIUS client or Windows XP with
built-in support for 802.1x and Smartcard Authentication, etc. does the
Wireless NIC have to support 802.1x or does it matter?
Also, I found a link on Microsoft's site on setting up RADIUS authentication
for Windows 2000 and Windows 2003 servers. Has anyone used these
articles/instructional guides and if so did they work properly?
Thanks very much in advance for your help with this.
David Jackson, GSEC
djackson@netdmz.com
"Canaccord Capital Corporation <canaccord.com>" made the following
annotations on 11/25/2003 02:32:35 PM
------------------------------------------------------------------------------
This message may contain confidential or privileged material. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this message in error, please immediately reply to the sender and delete this information from your computer. Thank you.
==============================================================================
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: jburzenski_at_americanhm.com: "P2P Services and IDS"
- Maybe in reply to: David J. Jackson: "802.1x RADIUS Deployment in Wireless LAN"
- Next in thread: shankarnarayan.d_at_netsol.co.in: "RE: 802.1x RADIUS Deployment in Wireless LAN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
